[ntp:hackers] Findinterface

Terje Mathisen terje.mathisen at hda.hydro.com
Sun Jun 12 23:17:29 PDT 2005


hackers-bounces at support.ntp.org wrote:

> Todd,
> 
> We have had this discussion before. There is no way to guarantee 
> timekeeping performance other than on a probabilistic basis for real

'probabilistic' is the crucial point!

> world or in simulation with artificial signals. I do take exception
> to your statement that NTP has not been rigorously tested. See my
> papers and briefings, as well as three comprehensive surveys in past
> years. Greg Troxel and his dissertation at MIT come to mind. As for
> nobody else testing it, talk to Martin Marietta, who are testing it
> for the DDX destroyer. Talk to Bellcore, a former consulting client
> who did the same. It is true that testing was intended for a specific
> program and the testers did not have merit badges.

I do get the feeling that Todd is trying to sell a product/consulting
contract. :-(

The best one can do with NTP is to calculate rigid upper bounds on the
maximum error (or rather offset slew rate) based on the existing or
proposed infrastructure, and then compare this with the maximum errors
that can be tolerated in a given situation.

By avoiding all use of ntpdate, and feeding ntpd a nice set of
independent sources, based on both locally controlled refclocks (radio,
cdma, gps, loran etc) as well as multiple network sources, with the
network sources using independent routing paths, I believe I can
calculate a useful confidence level for my corporate ntp infrastructure.
> 
> Now, if what you mean by performance audit is an examination of the 
> algorithms for verifiable correctness principles, that would indeed
> be useful. I've suggested the exercise as training in computer
> science courses, especially using Estelle or Lotus. Maybe push harder
> on that agenda once the book is at the printers.
> 
> There is a glaring fault now that a rigorous test plan needs to be 
> developed. I dropped a preliminary test plan on the task force and
> asked for help but got zero response. Only when the test plan is
> executed successfully would the code even be eligible for audit.
> 
> Having said that, I believe there is no way the current code base can
> be audited or even morphed to auditable shape. It would have to be 
> reconstructed from scratch rigorously from the spec, should it 
> eventually appear. I give you the X.25 wars thirty years ago. The
> only way that will happen is to drop boucoup bucks on a Beltway
> bandit and limit it only to one system, nonportable and all the
> necessary options (only) be made permanent.

It isn't really neccessary to audit the ntp code base at all: If you're
in a situation where NTP performance is _really_ critical, then I
suggest setting up one or two independent auditing workstations:

These two would use a totally independent code base, like Nick
Maclaren's SNTP implementation, to passively sample the performance of
the central ntpd servers, while never updating its own local clock.

The local clock would instead be manually tuned/adjusted once a week,
using Mark 1 eyeball/wristwatch to verify the measured offset from the
ntpd infrastructure, so as to remove the first-order clock slew rate.

This would be good enough to ensure that the audit/monitor system would
never be more than about a second away from the proper UTC time, so any
monitored offset in excess of this would be reason for an alarm and
manual intervention.

Even if some adversary could simultaneously spoof all of your network
connections, as well as all your refclock sources, he still couldn't
affect the monitoring system, right?

BTW, I am currently installing a complete new worldwide ntp
infrastructure here in Hydro, with servers in the USA, Germany, Norway
and Singapore. I use refclocks based on four or five different GPS
chipsets, as well as CDMA cell phone signals (Tampa, FL) and DFC77 radio
signals (Germany). Two of my black box hw refclocks use independently
developed ntp implementations, not ported from ntpd, which means that
even if someone managed to suborne the official ntp distribution a long
time ago, it won't affect them.

When all of these sources agree with each other, and with a number of
network peers, about what UTC is, then the likelyhood of them all being
wrong (even in the face of a _very_ resourceful adversary) is so low as
to be totally negligible.

IMHO, this is actually total overkill, it is just that it turned out to
be not much more expensive to do it this way than to just have a few
geographically dispersed single-vendor refclocks. :-)

> Just to gain some perspective here, the BlueCross BlueShield
> Association has in fact formally audited NTP with respect to their
> internal applications and found it acceptable. I admit I am a
> consultant to BCBSA.
> 
:-)

Terje

-- 
- <Terje.Mathisen at hda.hydro.com>
"almost all programming can be viewed as an exercise in caching"



More information about the hackers mailing list